Individuals share their information with brands and organizations when they buy products or services, while attending events, and so on. They do this without any certainty that their information will be kept confidential or be passed on to other organizations. In addition, most of these organizations that collect information also pass it on to their own marketing teams and other organizations that want to target promotional materials to an audience of their choice. These organizations call these individuals and email them, often without their indication of interest or consent. Things become further complicated when these organizations get their hands on more critical information about individuals, such as that related to bank accounts, social security details, and political affiliations.
The GDPR law is applicable to organizations:
- that collect data from European Union (EU) residents based inside or outside the EU
- that use the data inside or outside the EU
These organizations are prohibited from collecting any information relating to an individual’s private, professional, or public life without their consent.
It is crucial and vital for organizations to protect personal data of their employees, contacts, and individual customers, as these are both organizational assets as well as liabilities. The implications of the data controller, data processor, or the data subject not complying with the GDPR law are very high. The penalty for such a misstep is up to 4% of the annual global revenue of the company or €20 million, whichever is higher.
How SAP Cloud for Customer Complies with the GDPR Law in EU
Organizations can manage and control the data privacy of Master and transactional data in SAP Cloud for Customer (C4C) by setting up data privacy rules for Employees, Contacts, Individual Customers, and so on.
SAP categorizes personal data into two groups: Basic and Sensitive. Basic data includes any information related to a person that can be used to identify them. Sensitive data is that on race or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health, bank and credit accounts, and so on.
A Data Subject, such as an individual, has the right to know who accessed their data, what kind of data is being stored by organizations, and so on. Customers have the right to know their data information where it’s being used, shared, and so on. Organizations cannot store personal information of any individual without purpose or explicit consent.
SAP C4C provides various tools to comply with GDPR regulatory guidelines. Organizations must decide what rules to define to comply with these guidelines.
SAP C4C provides the option for role-based authorization accesses to ensure that only those groups or individuals authorized to see the information access personal/sensitive data. It also captures read logs. Just in case someone from within the organization views the sensitive information, the system captures the logs of who accessed that information, what parts of the information were accessed, what time it was accessed, and so on. When someone makes changes to the customer, contact, employees, or similar fields, the system captures the change logs of what information was changed, who made the change, when the change was made, and so on.
The C4C application has a dedicated workplace (work center) for Data Privacy to view customer, employee, and contact information and offers the option to block or delete personal data across business transactions. Whenever someone requests the system for access to personal information, the work center provides the relevant information related to all transactions. It also provides the option to block or delete records based on requests.
The application also allows country wise customization of data retention policies. For example, an organization does not want data on their customers, who bought their solutions or services, to be deleted for at least two months after the purchase. C4C provides businesses the option to configure minimum retention periods per country to block data deletion of business partners, customers, employees, and other critical contact information and offers the block/deletion option to delete personal data across business transactions.
Why you should consider C4C as a solution for your organization while working under EU GDPR guidelines
SAP has been working in compliance with GDPR regulations for many years now. Therefore, its application tools are mature enough to comply with EU GDPR guidelines. SAP updates the C4C application every trimester and releases new updates periodically; hence, you can be certain that it will keep the tools that matter to you up-to-date.
Author: Anil Poply
Anil is a Managing Consultant – SAP Customer Experience (CX) at Knack Systems with over 10 years of experience across SAP CRM, ECC, and SAP CX solutions. He is a certified professional in Callidus CPQ (now part of SAP Sales Cloud) and SAP Cloud for Customer (now SAP Customer Experience). Anil has extensive experience in consulting for CRM solutions such as SAP CX, SAP CRM – Marketing, Sales, Service, Interaction Center, Middle-ware, and non-SAP application integrations such as Marketo, ExactTarget, Strongview, Silverpop, and so on. He has expertise in customer facing business processes for industries such as Manufacturing, Healthcare/Pharmaceutical, Distribution Retail, and Hi-Tech.